Meta fined €91 million for storing millions of passwords for Facebook and Instagram in plaintext.


The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) following an investigation into a security incident in March 2019, when the company revealed it had mistakenly stored users' passwords for Facebook and Instagram in plaintext.

Launched the following month, the investigation found that Meta violated four articles of the European Union's General Data Protection Regulation (GDPR). The DPC criticized Meta for failing to promptly notify the commission about the data breach, for not documenting the personal data breaches related to the plaintext password storage, and for lacking adequate technical measures to protect user password confidentiality.

Initially, Meta disclosed that the breach had exposed a subset of Facebook users' passwords in plaintext but claimed there was no evidence that these passwords were accessed or misused internally. According to Krebs on Security, some of the exposed passwords dated back to 2012, with a senior employee revealing that around 2,000 engineers and developers made approximately nine million internal queries for data elements containing plaintext user passwords.

A month later, Meta acknowledged that millions of Instagram passwords were stored in a similar manner and began notifying affected users. "It is widely accepted that user passwords should not be stored in plaintext due to the risks of abuse associated with such data access," said Graham Doyle, deputy commissioner at the DPC, in a press statement. He added that the passwords in question are particularly sensitive, as they provide access to users' social media accounts.

In a statement to the Associated Press, Meta said it took "immediate action" to rectify the issue and that it had "proactively flagged this issue" to the DPC.

Credit:TheHackerNews.